Sysvol rebuild on a single domain controller

Similar Messages

• Old domain controller crashed. Created a new one..having to rejoin computers to domain..easier way to do this?

  I had a single domain controller. It has crashed. I had to create a new domain controller with all the same existing information from the old server..same domain name, server name, and IP. Im having issues with desktops. Everything is setup on the server.
  The desktops however I need to rejoin them to the domain and get them to start synching properly. But when I do this, the profile is resetting itself to a new profile. How can I keep the same profile with the same documents. Or am I out of luck on this and
  have to recreate the profiles. I have had to recreate the profiles so far, but do not want to do this for about 5 computers because there is way to much software and work that will need to be involved in moving these profiles. Any shortcut for these computers
  to automatically see this domain server and synch to it? Everything is identical to the old server. The old server is inaccessible.
  The new servers domain name is the same, IP address is the same, and computer name is the same. AD running with all identical information. DNS installed.
  Let me know if anyone has some advice on here.

  There's unfortunately a lot more involved than names, domain names and IP addresses.
  Most of those are linked to long numbers such as "SID"s and "GUID"s in the background that actually govern the interaction between clients and servers (authentication for one).
  Without the same SIDs and GUID, I fear there will be no end to your problems.
  That's why either a second domain controller or a good backup are so important. 
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• ChaRM config with Single domain

  Hi Guru's,
  I am in situation where I have to configure Change request Management with Single Domain Controller in Solution Manager 7.1  SP11.
  I have configured transport routes in ECC development system (000) to Integration , quality and production and now I want to add this configuration to Solution manager without domain link.
  please help me on this greatly appreciated
  thanks

  Hi Srini,
  Check the below note for active ChaRM with out domain link
  1384598 - Harmonizing RFC communication infrastructure in ChaRM/QGM
  1756014 - Harmonizing RFC communication infrastructure for ChaRM Check
  Rg,
  Karthik

• Server 2012 Secondary Domain Controller not picking up AD nor DNS responsibilities

  I had a single Domain Controller providing AD, DNS and  DHCP.  I went through the steps to add a Secondary Domain Controller.  All the AD and DNS info shows up in the Secondary Server, however, when my original Domain Controller is turned
  off, the second Domain Controller is not taking over for AD and DNS.

  Hi Bayousmurf,
  Good that you made some progress. However, can you please provide us the information on how you acheived transfering FSMO role to another DC since you had some issue earlier?
  Your initial intention was to demote the original DC. Please follow the below link for the steps to demote the DC.
  http://technet.microsoft.com/en-in/library/jj574104.aspx
  Still if I power off the original DC the new one isn't taking up DNS.  Still looking into the DNS...
  Can you please elaborate what exactly you are looking for? When you power off original DC, you don't see DNS in new DC? Is your DNS active directory integrated? If not please follow the below procedure to make it as a AD integrated. Once done, then, power
  off original DC and look in new DC to see if DNS shows up.
  http://www.tomshardware.com/faq/id-1954324/configure-active-directory-integrated-dns-zone-windows-server-2012-dns-server.html
  Thanks,
  Umesh.S.K

• JCIFS NTLM - giving backup domain controller in web.xml

  Hi All,
  We are using JCIFS NTLM authentication, for which we've configured the filter in web.xml like this
  ... other code ...
  <filter>
      <filter-name>NtlmHttpFilter</filter-name>
      <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
      <init-param>
          <param-name>jcifs.http.domainController</param-name>
          <param-value>SERVER1</param-value>
      </init-param>
      ..... other code .....the above code specifies a single domain controller SERVER1 for the NTLM authentication. Suppose, I want to give one more server also (i.e. when the SERVER1 down, NTLM should check my backup server SERVER2), how do I give it in the above code? Is it like <param-value>SERVER1, SERVER 2</param-value> ?
  Thanks in advance.

  I am facing the same exact problem.
  <filter>
            <filter-name>NtlmHttpFilter</filter-name>
            <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
            <init-param>
                 <param-name>jcifs.http.domainController</param-name>
                 <param-value>corg0dc02</param-value>
            </init-param>
  </filter>
      <filter-mapping>
           <filter-name>NtlmHttpFilter</filter-name>
           <url-pattern>/*</url-pattern>
      </filter-mapping>
     Is it possible to use EL or equivalent instead of hard-coding the param-value? Is this allowed in the Servlet spec?
  I would like to read the param-value from a properties file or DB table if possible.
  Edited by: asookazian on May 21, 2009 10:34 PM

• Sysvol is not visible in my last domain controller

  Hi everybody, I need some help with my last domain controller I had 2 DC's the one that had the fsmo roles crashed and after that I peform a Seizing of the roles and proceed to promote another DC after that DC was promoted I checked the SYSVOL and NetLOGON
  shares and they were are not, I wait for 24 ours and after that checked the event log of recovered DC and I sow the 13568 Event ID from NTFRS service, that event recommended to configure the registry with the "Enable Journal Wrap Automatic Restore"
  to "1", after that I restart NTFRS service and the SYSVOL and Netlogon Shares disapear, Now users can't logon and I can see the GPOS, What I should do?
  Thanks in Advance.
  Felxs
  Felx

  Make sure you perform a metadata cleanup
  http://blogs.dirteam.com/blogs/paulbergson/archive/2009/06/09/active-directory-cleanup-the-most-common-question-i-see.aspx
  Followed by diagnostics to ensure things are looking good
  http://blogs.dirteam.com/ControlPanel/Blogs/postlist.aspx?PageIndex=4
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Install Domain Controller, Active Directory, RemoteApps on Single Server?

  Have a server that I want to experiment with RemoteApps.   Documentation I have read state you need to have a Domain Controller setup with AD on one server, and have a second server to install all the RemoteApps requirements. Is this true or can
  this all be done on one server.
  If I need a separate server for the Domain Controller and Active Directory, can I assume that a low end server would be sufficient?  Or would using Hyper-V with a single hardware server and create two virtual machines: one as the DC/AD, and the other
  to run Remote Apps be a possible solution.  Any advice?

  it really depends to be honest. I'd probably go something like this though:
  One Small physical server to act as a domain controller - you could put DHCP on this too
  One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined. 
  Then for your VM's create the following:
  1 x additional domain controller
  For remote desktop services:
  1 x Remote Desktop Session Host
  1 x Connection Broker
  1 x Gateway and web server
  For additional services
  1 or 2 x Exchange
  1 x sharepoint
  1 x IIS
  but it really depends what you want to achieve. 
  The benefit from Virtual machines is that you can keep separate virtual servers for separate applications. 
  If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance. 
  Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated. 
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• Rebuilding Domain controller & Transport Routes after system refresh

  I have refreshed Dev from Prdn, now my domain controller only shows single system
  I have documentation but, it is confusing to me how to have QAS and Prdn join the domain controller again and show the domain as a three tier system
  When I log into QAS and Prdn I still see the old 3 tier system including the domain and the other systems.
  Please advise
  maria
  Edited by: Maria Graziano on Mar 27, 2008 3:53 PM

  You don't perform backup of domain controller.
  You only designate in STMS one of servers as "Backup Domain Controller"
  when Primary  controller fails than "Backup domain Controller" takes his role and becomes a primary.
  So action to refresh domain controller is:
  1. Designate one of servers as backup domain controller
  2. Backup transport directory if it is on refreshed server (just in case)
  3. Switch backup controller to become primary
  4. Refresh primary system
  5. Join refreshed system to domain
  6. Switch back primary function to refreshed server
  Regards,
  Wojtek

• Question about adding Windows 2012 R2 Domain Controller, into a native Windows 2008 R2 single forest domain

  I current have a two server domain, both Windows 2008 R2 and fully updated.   The two servers are on subnet 10.0.1.0 /24
  - Windows 2008 R2 Server A: 10.0.1.1 (DC, GC, FSMO, DNS)
  - Windows 2008 R2 Server B: 10.0.1.2 (DC, GC)
  AD Domain: COMPANY.LOCAL
  I have a second connected subnet, 192.168.1.0 /24) which is routed to the 10.0.1.0/24 subnet and I would like to install a Windows 2012 R2 server onto a server on that subnet and make it a domain controller with AD-Integrated DNS and DHCP for the 192.168.1.0
  /24 subnet.
  - Windows 2012 R2 Server C: 192.168.1.1
  What are the proper progression steps, in order to bring up the Windows 2012 R2 server and then add it to my COMPANY.LOCAL domain and then promote it do a DC/GC/AD-Integrated DNS server?   Are they anything like the following:
  1. Install Windows 2012 R2 server (Server C)
  2. Point Windows 2012 R2 server DNS servers at Server's A and B
  3. Perform AD prep to extend AD schema to support Windows 2012 R2 domain controllers
  4. Promote Windows 2012 R2 server to domain controller (install local DNS service on Server C, during this step)
  * Question:  Will Windows automatically create a DNS zone for the Windows 2012 R2 subnet (192.168.1.0/24) AND also include the DNS zone from the previous Windows 2008 R2 domain (10.0.1.0 /24)?  Or will I need to add the 10.0.1.0 /24 zone to the DNS
  server on Server C, even though the DNS from the Windows 2008 R2 domain is AD integrated?

  Hi,
  Regarding the issue here, please take a look into below articles:
  System Requirements and Installation Information for Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn303418.aspx
  Release Notes: Important Issues in Windows Server 2012 R2
  http://technet.microsoft.com/en-us/library/dn387077.aspx
  Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
  http://technet.microsoft.com/en-us/library/jj574134.aspx
  Here is an example for promoting Windows Server 2012 to a DC, see:
  Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
  http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
  As the server is promoted to a DC, DNS Zones will be replicated and synchronized to it automatically whenever the new one is added to an AD DS domain,  bascially there is no special need to add zones,  for more information, please see:
  Understanding Active Directory Domain Services Integration
  http://technet.microsoft.com/en-us/library/cc726034.aspx
  Hope this may help
  Best regards
  Michael
  If you have any feedback on our support, please click
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Unable to demote a domain controller

  Hi Everone,
  My primary DC is windows Server 2012 R2 and ADC is windows Server 2008 x64
  I am trying to demote  Windows Server 2008 x64 and i am facing issues.
  when i demote2008 I am getting Error : A Domain Controller could not be contacted for the domain(mydomain.com) that contains
  an account for this computers.Make the computer a member of a workgroup then rejoin the domain before retrying the prmotion.
  The specified domain either doesnot exist or could not be contacted
  When i browse my \\windows2012dc i cannot see sysvol and netlogon shared folders.
  on window2012dc C:\windows\sysvol\mydomain and mydomain folder is empty.(no issues with replication in sites and services and no issues with connectivity or gateway )
  please guide me because i dont want forceful demote.

  I would first recommend taking backups of both DCs before proceeding with any changes.
  Before trying a forced demotion, you can try the following:
  Make sure that both DCs have a single NIC card enabled and only one IP address in use
  Make both DCs point to the other as primary DNS server, their private IP addresses as secondary DNS server and 127.0.0.1 as third one. Once done, run
  ipconfig /registerdns and restart netlogon service
  Disable any security filtering between both DCs and temporary disable security software you use
  If this does not help then you need to proceed with a forced demotion.
  You can then proceed like the following (First, Use dcdiag to check that the Windows Server 2012 R2 DC has no problems apart of the SYSVOL folder and the replication with the other DC):
  Shutdown the DC running Windows Server 2008 (Do not bring it online again without re-installing it later)
  Seize all FSMO roles to your Windows Server 2012 R2 DC if it is not already the current FSMO holder: http://support.microsoft.com/KB/255504
  Do a metadata cleanup to remove the data of the old Windows Server 2008 DC: Use
  dssite.msc to remove its NTDS settings and object over there then use
  dsa.msc to remove its AD account
  Rebuild your SYSVOL tree: http://support.microsoft.com/kb/315457
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• ISSUE: "This domain controller must register a DNS SRV resource record, which is required for replication to function correctly"

  so we currently have three domain controllers set up, two of them on 2012r2 and one of them on 2008r2. prior to any of these domain controllers being added to the domain there was only one, running on 2003r2. the 2003r2 server was up and running when the
  first 2012r2 was added and that's when running 'dcdiag /e /c /v' would yield an issue with "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local" in the DNS portion of the diagnostics, specifically:
  TEST: Records registration (RReg)
  Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
  Error:
  Missing SRV record at DNS server 192.168.22.4:
  _ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local
  after adding the second 2012r2 to the domain, this issue is still there... adding the 2008r2 server to the domain and running BPA it gives the following:
  Title:
  This domain controller must register a DNS SRV resource record, which is required for replication to function correctly
  Severity:
  Error
  Date:
  7/3/2014 11:24:48 AM
  Category:
  Configuration
  Issue:
  The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.
  Impact:
  Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.
  Resolution:
  Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local", pointing to the local domain controller "CM-DC4-NY01.cmedia.local", is registered in DNS.
  More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=126968
  I've tried scanning and then re-scanning every single entry in DNS Manager and do not see any reference to this specific GUID mentioned, nor do I see any other domain controllers referenced that should not be in there. The two 2012r2 and the 2008r2 domain
  controllers are the only ones listed in DNS Manager... the 2003r2 mentioned earlier failed and was removed.

  Just to chime in, I noticed that you said you have one 2008 R2 DC, and two 2012 DCs.
  I also noticed in the ipconfig /all that all DCs are pointint to themselves for DNS. We usually like to see them point to a partner, then itslelf as the second entry, w hether loopback or by its own IP.
  Based on that, what I suggest to level the playing field by choosing the WIndows 2008 R2 DC as the first DNS on all DCs and only administer DNS using that DC. The reason I chose that is because of the least common denominator is what we rather use so we
  don't invoke any new features in the newer 2012 DNS console that 2008 R2 may not understand.  After that's done, on each DC run (and you can use a PowerShell window to run this):
  Rename the system32\config\netlogon.dns and netlogon.dnb files by suffixing ".old" to the file.
  ipconfig /registerdns
  net stop netlogon
  net start netlogon
  Then re-run the dcdiag /e /c /v.
  Post your results, please.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.
  I thought the DNS entries were supposed to be the other way around? point to themselves first and a partner as secondary? regardless, as requested, I've changed it to what you've prescribed where they point to the 2008r2 server as the primary with themselves
  as the secondary. I've also followed the steps to what seems like refreshing the DNS? on each of the DCs. Here's the output from dcdiag /e /c /v
  Directory Server Diagnosis
  Performing initial setup:
  Trying to find home server...
  * Verifying that the local machine CM-DC1-NY01, is a Directory Server.
  Home Server = CM-DC1-NY01
  * Connecting to directory service on server CM-DC1-NY01.
  * Identified AD Forest.
  Collecting AD specific global data
  * Collecting site info.
  Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=cmedia,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory
  =ntDSSiteSettings),.......
  The previous call succeeded
  Iterating through the sites
  Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia
  ,DC=local
  Getting ISTG and options for the site
  * Identifying all servers.
  Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=cmedia,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=nt
  DSDsa),.......
  The previous call succeeded....
  The previous call succeeded
  Iterating through the list of servers
  Getting information for the server CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
  ,CN=Configuration,DC=cmedia,DC=local
  objectGuid obtained
  InvocationID obtained
  dnsHostname obtained
  site info obtained
  All the info for the server collected
  Getting information for the server CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
  ,CN=Configuration,DC=cmedia,DC=local
  objectGuid obtained
  InvocationID obtained
  dnsHostname obtained
  site info obtained
  All the info for the server collected
  Getting information for the server CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
  ,CN=Configuration,DC=cmedia,DC=local
  objectGuid obtained
  InvocationID obtained
  dnsHostname obtained
  site info obtained
  All the info for the server collected
  * Identifying all NC cross-refs.
  * Found 3 DC(s). Testing 3 of them.
  Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\CM-DC1-NY01
  Starting test: Connectivity
  * Active Directory LDAP Services Check
  Determining IP4 connectivity
  * Active Directory RPC Services Check
  ......................... CM-DC1-NY01 passed test Connectivity
  Testing server: Default-First-Site-Name\CM-DC3-NY01
  Starting test: Connectivity
  * Active Directory LDAP Services Check
  Determining IP4 connectivity
  * Active Directory RPC Services Check
  ......................... CM-DC3-NY01 passed test Connectivity
  Testing server: Default-First-Site-Name\CM-DC4-NY01
  Starting test: Connectivity
  * Active Directory LDAP Services Check
  Determining IP4 connectivity
  * Active Directory RPC Services Check
  ......................... CM-DC4-NY01 passed test Connectivity
  Doing primary tests
  Testing server: Default-First-Site-Name\CM-DC1-NY01
  Starting test: Advertising
  The DC CM-DC1-NY01 is advertising itself as a DC and having a DS.
  The DC CM-DC1-NY01 is advertising as an LDAP server
  The DC CM-DC1-NY01 is advertising as having a writeable directory
  The DC CM-DC1-NY01 is advertising as a Key Distribution Center
  The DC CM-DC1-NY01 is advertising as a time server
  The DS CM-DC1-NY01 is advertising as a GC.
  ......................... CM-DC1-NY01 passed test Advertising
  Starting test: CheckSecurityError
  * Dr Auth: Beginning security errors check!
  Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
  Checking machine account for DC CM-DC1-NY01 on DC CM-DC1-NY01.
  * SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia.local
  * SPN found :LDAP/CM-DC1-NY01.cmedia.local
  * SPN found :LDAP/CM-DC1-NY01
  * SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia
  * SPN found :LDAP/a29d12f1-2869-44bf-8e43-adf7ddf33865._msdcs.cmedia.local
  * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a29d12f1-2869-44bf-8e43-adf7ddf33865/cmedia.local
  * SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia.local
  * SPN found :HOST/CM-DC1-NY01.cmedia.local
  * SPN found :HOST/CM-DC1-NY01
  * SPN found :GC/CM-DC1-NY01.cmedia.local/cmedia.local
  [CM-DC1-NY01] No security related replication errors were found on this DC! To target the connection to a
  specific source DC use /ReplSource:<DC>.
  ......................... CM-DC1-NY01 passed test CheckSecurityError
  Starting test: CutoffServers
  * Configuration Topology Aliveness Check
  * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  ......................... CM-DC1-NY01 passed test CutoffServers
  Starting test: FrsEvent
  * The File Replication Service Event log test
  ......................... CM-DC1-NY01 passed test FrsEvent
  Starting test: DFSREvent
  The DFS Replication Event Log.
  Skip the test because the server is running FRS.
  ......................... CM-DC1-NY01 passed test DFSREvent
  Starting test: SysVolCheck
  * The File Replication Service SYSVOL ready test
  File Replication Service's SYSVOL is ready
  ......................... CM-DC1-NY01 passed test SysVolCheck
  Starting test: FrsSysVol
  * The File Replication Service SYSVOL ready test
  File Replication Service's SYSVOL is ready
  ......................... CM-DC1-NY01 passed test FrsSysVol
  Starting test: KccEvent
  * The KCC Event log test
  Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
  ......................... CM-DC1-NY01 passed test KccEvent
  Starting test: KnowsOfRoleHolders
  Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
  guration,DC=cmedia,DC=local
  Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
  guration,DC=cmedia,DC=local
  Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=cmedia,DC=local
  Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=cmedia,DC=local
  Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
  =Sites,CN=Configuration,DC=cmedia,DC=local
  ......................... CM-DC1-NY01 passed test KnowsOfRoleHolders
  Starting test: MachineAccount
  Checking machine account for DC CM-DC1-NY01 on DC CM-DC1-NY01.
  * SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia.local
  * SPN found :LDAP/CM-DC1-NY01.cmedia.local
  * SPN found :LDAP/CM-DC1-NY01
  * SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia
  * SPN found :LDAP/a29d12f1-2869-44bf-8e43-adf7ddf33865._msdcs.cmedia.local
  * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a29d12f1-2869-44bf-8e43-adf7ddf33865/cmedia.local
  * SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia.local
  * SPN found :HOST/CM-DC1-NY01.cmedia.local
  * SPN found :HOST/CM-DC1-NY01
  * SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia
  * SPN found :GC/CM-DC1-NY01.cmedia.local/cmedia.local
  ......................... CM-DC1-NY01 passed test MachineAccount
  Starting test: NCSecDesc
  * Security Permissions check for all NC's on DC CM-DC1-NY01.
  The forest is not ready for RODC. Will skip checking ERODC ACEs.
  * Security Permissions Check for
  DC=ForestDnsZones,DC=cmedia,DC=local
  (NDNC,Version 3)
  * Security Permissions Check for
  DC=DomainDnsZones,DC=cmedia,DC=local
  (NDNC,Version 3)
  * Security Permissions Check for
  CN=Schema,CN=Configuration,DC=cmedia,DC=local
  (Schema,Version 3)
  * Security Permissions Check for
  CN=Configuration,DC=cmedia,DC=local
  (Configuration,Version 3)
  * Security Permissions Check for
  DC=cmedia,DC=local
  (Domain,Version 3)
  ......................... CM-DC1-NY01 passed test NCSecDesc
  Starting test: NetLogons
  * Network Logons Privileges Check
  Verified share \\CM-DC1-NY01\netlogon
  Verified share \\CM-DC1-NY01\sysvol
  ......................... CM-DC1-NY01 passed test NetLogons
  Starting test: ObjectsReplicated
  CM-DC1-NY01 is in domain DC=cmedia,DC=local
  Checking for CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
  n 3 servers
  Object is up-to-date on all servers.
  Checking for CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
  n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
  Object is up-to-date on all servers.
  ......................... CM-DC1-NY01 passed test ObjectsReplicated
  Starting test: OutboundSecureChannels
  * The Outbound Secure Channels test
  ** Did not run Outbound Secure Channels test because /testdomain: was not entered
  ......................... CM-DC1-NY01 passed test OutboundSecureChannels
  Starting test: Replications
  * Replications Check
  * Replication Latency Check
  DC=ForestDnsZones,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  DC=DomainDnsZones,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  CN=Schema,CN=Configuration,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  CN=Configuration,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  ......................... CM-DC1-NY01 passed test Replications
  Starting test: RidManager
  * Available RID Pool for the Domain is 16109 to 1073741823
  * CM-DC1-NY01.cmedia.local is the RID Master
  * DsBind with RID Master was successful
  * rIDAllocationPool is 4609 to 5108
  * rIDPreviousAllocationPool is 4609 to 5108
  * rIDNextRID: 4629
  ......................... CM-DC1-NY01 passed test RidManager
  Starting test: Services
  * Checking Service: EventSystem
  * Checking Service: RpcSs
  * Checking Service: NTDS
  * Checking Service: DnsCache
  * Checking Service: NtFrs
  * Checking Service: IsmServ
  * Checking Service: kdc
  * Checking Service: SamSs
  * Checking Service: LanmanServer
  * Checking Service: LanmanWorkstation
  * Checking Service: w32time
  * Checking Service: NETLOGON
  ......................... CM-DC1-NY01 passed test Services
  Starting test: SystemLog
  * The System Event log test
  A warning event occurred. EventID: 0x0000002F
  Time Generated: 07/08/2014 13:19:14
  Event String:
  Time Provider NtpClient: No valid response has been received from manually configured peer 0.ca.pool.ntp.org
  after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a n
  ew peer with this DNS name. The error was: The peer is unreachable.
  Found no errors in "System" Event log in the last 60 minutes.
  ......................... CM-DC1-NY01 passed test SystemLog
  Starting test: Topology
  * Configuration Topology Integrity Check
  * Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  ......................... CM-DC1-NY01 passed test Topology
  Starting test: VerifyEnterpriseReferences
  ......................... CM-DC1-NY01 passed test VerifyEnterpriseReferences
  Starting test: VerifyReferences
  The system object reference (serverReference) CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local
  and backlink on
  CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
  correct.
  The system object reference (serverReferenceBL)
  CN=CM-DC1-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
  C=local
  and backlink on
  CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
  ia,DC=local
  are correct.
  The system object reference (frsComputerReferenceBL)
  CN=CM-DC1-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
  C=local
  and backlink on CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
  ......................... CM-DC1-NY01 passed test VerifyReferences
  Starting test: VerifyReplicas
  ......................... CM-DC1-NY01 passed test VerifyReplicas
  Testing server: Default-First-Site-Name\CM-DC3-NY01
  Starting test: Advertising
  The DC CM-DC3-NY01 is advertising itself as a DC and having a DS.
  The DC CM-DC3-NY01 is advertising as an LDAP server
  The DC CM-DC3-NY01 is advertising as having a writeable directory
  The DC CM-DC3-NY01 is advertising as a Key Distribution Center
  The DC CM-DC3-NY01 is advertising as a time server
  The DS CM-DC3-NY01 is advertising as a GC.
  ......................... CM-DC3-NY01 passed test Advertising
  Starting test: CheckSecurityError
  * Dr Auth: Beginning security errors check!
  Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
  Checking machine account for DC CM-DC3-NY01 on DC CM-DC1-NY01.
  * SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia.local
  * SPN found :LDAP/CM-DC3-NY01.cmedia.local
  * SPN found :LDAP/CM-DC3-NY01
  * SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia
  * SPN found :LDAP/5e9d1971-39ca-484c-922d-411c2364c96e._msdcs.cmedia.local
  * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e9d1971-39ca-484c-922d-411c2364c96e/cmedia.local
  * SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia.local
  * SPN found :HOST/CM-DC3-NY01.cmedia.local
  * SPN found :HOST/CM-DC3-NY01
  * SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia
  * SPN found :GC/CM-DC3-NY01.cmedia.local/cmedia.local
  Checking for CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
  n 2 servers
  Object is up-to-date on all servers.
  [CM-DC3-NY01] No security related replication errors were found on this DC! To target the connection to a
  specific source DC use /ReplSource:<DC>.
  ......................... CM-DC3-NY01 passed test CheckSecurityError
  Starting test: CutoffServers
  * Configuration Topology Aliveness Check
  * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  ......................... CM-DC3-NY01 passed test CutoffServers
  Starting test: FrsEvent
  * The File Replication Service Event log test
  ......................... CM-DC3-NY01 passed test FrsEvent
  Starting test: DFSREvent
  The DFS Replication Event Log.
  Skip the test because the server is running FRS.
  ......................... CM-DC3-NY01 passed test DFSREvent
  Starting test: SysVolCheck
  * The File Replication Service SYSVOL ready test
  File Replication Service's SYSVOL is ready
  ......................... CM-DC3-NY01 passed test SysVolCheck
  Starting test: FrsSysVol
  * The File Replication Service SYSVOL ready test
  File Replication Service's SYSVOL is ready
  ......................... CM-DC3-NY01 passed test FrsSysVol
  Starting test: KccEvent
  * The KCC Event log test
  Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
  ......................... CM-DC3-NY01 passed test KccEvent
  Starting test: KnowsOfRoleHolders
  Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
  guration,DC=cmedia,DC=local
  Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
  guration,DC=cmedia,DC=local
  Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=cmedia,DC=local
  Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=cmedia,DC=local
  Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
  =Sites,CN=Configuration,DC=cmedia,DC=local
  ......................... CM-DC3-NY01 passed test KnowsOfRoleHolders
  Starting test: MachineAccount
  Checking machine account for DC CM-DC3-NY01 on DC CM-DC3-NY01.
  * SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia.local
  * SPN found :LDAP/CM-DC3-NY01.cmedia.local
  * SPN found :LDAP/CM-DC3-NY01
  * SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia
  * SPN found :LDAP/5e9d1971-39ca-484c-922d-411c2364c96e._msdcs.cmedia.local
  * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e9d1971-39ca-484c-922d-411c2364c96e/cmedia.local
  * SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia.local
  * SPN found :HOST/CM-DC3-NY01.cmedia.local
  * SPN found :HOST/CM-DC3-NY01
  * SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia
  * SPN found :GC/CM-DC3-NY01.cmedia.local/cmedia.local
  ......................... CM-DC3-NY01 passed test MachineAccount
  Starting test: NCSecDesc
  * Security Permissions check for all NC's on DC CM-DC3-NY01.
  The forest is not ready for RODC. Will skip checking ERODC ACEs.
  * Security Permissions Check for
  DC=ForestDnsZones,DC=cmedia,DC=local
  (NDNC,Version 3)
  * Security Permissions Check for
  DC=DomainDnsZones,DC=cmedia,DC=local
  (NDNC,Version 3)
  * Security Permissions Check for
  CN=Schema,CN=Configuration,DC=cmedia,DC=local
  (Schema,Version 3)
  * Security Permissions Check for
  CN=Configuration,DC=cmedia,DC=local
  (Configuration,Version 3)
  * Security Permissions Check for
  DC=cmedia,DC=local
  (Domain,Version 3)
  ......................... CM-DC3-NY01 passed test NCSecDesc
  Starting test: NetLogons
  * Network Logons Privileges Check
  Verified share \\CM-DC3-NY01\netlogon
  Verified share \\CM-DC3-NY01\sysvol
  ......................... CM-DC3-NY01 passed test NetLogons
  Starting test: ObjectsReplicated
  CM-DC3-NY01 is in domain DC=cmedia,DC=local
  Checking for CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
  n 3 servers
  Object is up-to-date on all servers.
  Checking for CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
  n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
  Object is up-to-date on all servers.
  ......................... CM-DC3-NY01 passed test ObjectsReplicated
  Starting test: OutboundSecureChannels
  * The Outbound Secure Channels test
  ** Did not run Outbound Secure Channels test because /testdomain: was not entered
  ......................... CM-DC3-NY01 passed test OutboundSecureChannels
  Starting test: Replications
  * Replications Check
  * Replication Latency Check
  DC=ForestDnsZones,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  DC=DomainDnsZones,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  CN=Schema,CN=Configuration,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  CN=Configuration,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  ......................... CM-DC3-NY01 passed test Replications
  Starting test: RidManager
  * Available RID Pool for the Domain is 16109 to 1073741823
  * CM-DC1-NY01.cmedia.local is the RID Master
  * DsBind with RID Master was successful
  * rIDAllocationPool is 15109 to 15608
  * rIDPreviousAllocationPool is 15109 to 15608
  * rIDNextRID: 15110
  ......................... CM-DC3-NY01 passed test RidManager
  Starting test: Services
  * Checking Service: EventSystem
  * Checking Service: RpcSs
  * Checking Service: NTDS
  * Checking Service: DnsCache
  * Checking Service: NtFrs
  * Checking Service: IsmServ
  * Checking Service: kdc
  * Checking Service: SamSs
  * Checking Service: LanmanServer
  * Checking Service: LanmanWorkstation
  * Checking Service: w32time
  * Checking Service: NETLOGON
  ......................... CM-DC3-NY01 passed test Services
  Starting test: SystemLog
  * The System Event log test
  Found no errors in "System" Event log in the last 60 minutes.
  ......................... CM-DC3-NY01 passed test SystemLog
  Starting test: Topology
  * Configuration Topology Integrity Check
  * Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  ......................... CM-DC3-NY01 passed test Topology
  Starting test: VerifyEnterpriseReferences
  ......................... CM-DC3-NY01 passed test VerifyEnterpriseReferences
  Starting test: VerifyReferences
  The system object reference (serverReference) CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local
  and backlink on
  CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
  correct.
  The system object reference (serverReferenceBL)
  CN=CM-DC3-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
  C=local
  and backlink on
  CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
  ia,DC=local
  are correct.
  The system object reference (frsComputerReferenceBL)
  CN=CM-DC3-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
  C=local
  and backlink on CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
  ......................... CM-DC3-NY01 passed test VerifyReferences
  Starting test: VerifyReplicas
  ......................... CM-DC3-NY01 passed test VerifyReplicas
  Testing server: Default-First-Site-Name\CM-DC4-NY01
  Starting test: Advertising
  The DC CM-DC4-NY01 is advertising itself as a DC and having a DS.
  The DC CM-DC4-NY01 is advertising as an LDAP server
  The DC CM-DC4-NY01 is advertising as having a writeable directory
  The DC CM-DC4-NY01 is advertising as a Key Distribution Center
  The DC CM-DC4-NY01 is advertising as a time server
  The DS CM-DC4-NY01 is advertising as a GC.
  ......................... CM-DC4-NY01 passed test Advertising
  Starting test: CheckSecurityError
  * Dr Auth: Beginning security errors check!
  Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
  Checking machine account for DC CM-DC4-NY01 on DC CM-DC1-NY01.
  * SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia.local
  * SPN found :LDAP/CM-DC4-NY01.cmedia.local
  * SPN found :LDAP/CM-DC4-NY01
  * SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia
  * SPN found :LDAP/37830012-1f10-43c9-a0ff-2a0e8a912187._msdcs.cmedia.local
  * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/37830012-1f10-43c9-a0ff-2a0e8a912187/cmedia.local
  * SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia.local
  * SPN found :HOST/CM-DC4-NY01.cmedia.local
  * SPN found :HOST/CM-DC4-NY01
  * SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia
  * SPN found :GC/CM-DC4-NY01.cmedia.local/cmedia.local
  Checking for CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
  n 2 servers
  Object is up-to-date on all servers.
  [CM-DC4-NY01] No security related replication errors were found on this DC! To target the connection to a
  specific source DC use /ReplSource:<DC>.
  ......................... CM-DC4-NY01 passed test CheckSecurityError
  Starting test: CutoffServers
  * Configuration Topology Aliveness Check
  * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the alive system replication topology for DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  ......................... CM-DC4-NY01 passed test CutoffServers
  Starting test: FrsEvent
  * The File Replication Service Event log test
  ......................... CM-DC4-NY01 passed test FrsEvent
  Starting test: DFSREvent
  The DFS Replication Event Log.
  Skip the test because the server is running FRS.
  ......................... CM-DC4-NY01 passed test DFSREvent
  Starting test: SysVolCheck
  * The File Replication Service SYSVOL ready test
  File Replication Service's SYSVOL is ready
  ......................... CM-DC4-NY01 passed test SysVolCheck
  Starting test: FrsSysVol
  * The File Replication Service SYSVOL ready test
  File Replication Service's SYSVOL is ready
  ......................... CM-DC4-NY01 passed test FrsSysVol
  Starting test: KccEvent
  * The KCC Event log test
  Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
  ......................... CM-DC4-NY01 passed test KccEvent
  Starting test: KnowsOfRoleHolders
  Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
  guration,DC=cmedia,DC=local
  Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
  guration,DC=cmedia,DC=local
  Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=cmedia,DC=local
  Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
  ation,DC=cmedia,DC=local
  Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
  =Sites,CN=Configuration,DC=cmedia,DC=local
  ......................... CM-DC4-NY01 passed test KnowsOfRoleHolders
  Starting test: MachineAccount
  Checking machine account for DC CM-DC4-NY01 on DC CM-DC4-NY01.
  * SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia.local
  * SPN found :LDAP/CM-DC4-NY01.cmedia.local
  * SPN found :LDAP/CM-DC4-NY01
  * SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia
  * SPN found :LDAP/37830012-1f10-43c9-a0ff-2a0e8a912187._msdcs.cmedia.local
  * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/37830012-1f10-43c9-a0ff-2a0e8a912187/cmedia.local
  * SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia.local
  * SPN found :HOST/CM-DC4-NY01.cmedia.local
  * SPN found :HOST/CM-DC4-NY01
  * SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia
  * SPN found :GC/CM-DC4-NY01.cmedia.local/cmedia.local
  ......................... CM-DC4-NY01 passed test MachineAccount
  Starting test: NCSecDesc
  * Security Permissions check for all NC's on DC CM-DC4-NY01.
  The forest is not ready for RODC. Will skip checking ERODC ACEs.
  * Security Permissions Check for
  DC=ForestDnsZones,DC=cmedia,DC=local
  (NDNC,Version 3)
  * Security Permissions Check for
  DC=DomainDnsZones,DC=cmedia,DC=local
  (NDNC,Version 3)
  * Security Permissions Check for
  CN=Schema,CN=Configuration,DC=cmedia,DC=local
  (Schema,Version 3)
  * Security Permissions Check for
  CN=Configuration,DC=cmedia,DC=local
  (Configuration,Version 3)
  * Security Permissions Check for
  DC=cmedia,DC=local
  (Domain,Version 3)
  ......................... CM-DC4-NY01 passed test NCSecDesc
  Starting test: NetLogons
  * Network Logons Privileges Check
  Verified share \\CM-DC4-NY01\netlogon
  Verified share \\CM-DC4-NY01\sysvol
  ......................... CM-DC4-NY01 passed test NetLogons
  Starting test: ObjectsReplicated
  CM-DC4-NY01 is in domain DC=cmedia,DC=local
  Checking for CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
  n 3 servers
  Object is up-to-date on all servers.
  Checking for CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
  n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
  Object is up-to-date on all servers.
  ......................... CM-DC4-NY01 passed test ObjectsReplicated
  Starting test: OutboundSecureChannels
  * The Outbound Secure Channels test
  ** Did not run Outbound Secure Channels test because /testdomain: was not entered
  ......................... CM-DC4-NY01 passed test OutboundSecureChannels
  Starting test: Replications
  * Replications Check
  * Replication Latency Check
  DC=ForestDnsZones,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  DC=DomainDnsZones,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  CN=Schema,CN=Configuration,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  CN=Configuration,DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  DC=cmedia,DC=local
  Latency information for 4 entries in the vector were ignored.
  4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
  no longer replicating this nc. 0 had no latency information (Win2K DC).
  ......................... CM-DC4-NY01 passed test Replications
  Starting test: RidManager
  * Available RID Pool for the Domain is 16109 to 1073741823
  * CM-DC1-NY01.cmedia.local is the RID Master
  * DsBind with RID Master was successful
  * rIDAllocationPool is 15609 to 16108
  * rIDPreviousAllocationPool is 15609 to 16108
  * rIDNextRID: 15609
  ......................... CM-DC4-NY01 passed test RidManager
  Starting test: Services
  * Checking Service: EventSystem
  * Checking Service: RpcSs
  * Checking Service: NTDS
  * Checking Service: DnsCache
  * Checking Service: NtFrs
  * Checking Service: IsmServ
  * Checking Service: kdc
  * Checking Service: SamSs
  * Checking Service: LanmanServer
  * Checking Service: LanmanWorkstation
  * Checking Service: w32time
  * Checking Service: NETLOGON
  ......................... CM-DC4-NY01 passed test Services
  Starting test: SystemLog
  * The System Event log test
  Found no errors in "System" Event log in the last 60 minutes.
  ......................... CM-DC4-NY01 passed test SystemLog
  Starting test: Topology
  * Configuration Topology Integrity Check
  * Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  * Analyzing the connection topology for DC=cmedia,DC=local.
  * Performing upstream (of target) analysis.
  * Performing downstream (of target) analysis.
  ......................... CM-DC4-NY01 passed test Topology
  Starting test: VerifyEnterpriseReferences
  ......................... CM-DC4-NY01 passed test VerifyEnterpriseReferences
  Starting test: VerifyReferences
  The system object reference (serverReference) CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local
  and backlink on
  CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
  correct.
  The system object reference (serverReferenceBL)
  CN=CM-DC4-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
  C=local
  and backlink on
  CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
  ia,DC=local
  are correct.
  The system object reference (frsComputerReferenceBL)
  CN=CM-DC4-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
  C=local
  and backlink on CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
  ......................... CM-DC4-NY01 passed test VerifyReferences
  Starting test: VerifyReplicas
  ......................... CM-DC4-NY01 passed test VerifyReplicas

• Cant't Add Domain Controller

  We have an aging directory service deployment that began with Server 2003 and was upgrade to Server 2008 R2. A while back I remember trying to add a new 2008 R2 domain controller and it gave me some error. We have 5 domain controllers at 5 offices, all the
  major 5 roles are installed at the main office. Now I NEED to replace these servers with new 2012 R2 servers that are joined to the domain and ready to role.
  And the error hath returned...
  (And first off, I have raised domain functionality to 2008 level via sites/domains MMC, and prepped it years ago when I upgraded to 2008. It seems I have a really awful domain corruption issue of some kind, and I suspect the underlying DFS share for AD (sysvol)
  is possibly part of the problem.
  I am tempting to start a new domain, but I dont want to change 60+ desktops over and have all those users hate me as they will not have every single profile setting copied over (like their outlook databases that will need redownloaded, and their CAD
  settings that dont seem to copy with my hacker style profile migration process)
  So, can anyone suggest some troubleshooting tips, or is their a way to backup and restore the AD database to the new server and tell the old servers to go away? Back in the SBS days we use to do something called a swing migration, but I dont think it will
  fit this situation easily.
  Troubleshooting steps and all advise is welcome!
  Thanks,
  Andy

  As Thameur mentioned, please check your Forest Functional Level as it need to be Windows Server 2003 or higher. More details here: http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels
  You can also start with this troubleshooting guide: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Lack of Connectivty to Domain Controller - Domain Controller Access Issues Requires Repeated Reauthentication

  Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information. 
  I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is. 
  The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
  setup.)
  For 6+ months everyone had access to the shared files and databases on each workstation without issue. 
  In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already. 
  Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
  no logon servers available to service the logon request”.  While access is rejected I’m still able to ping the DC both via its name and IPV4 address. 
  (Pinging via its name results in an IPv6 address in the response.) 
  Other network connectivity appears intact (able to browse the web, perform network discovery.)
  Things that ‘seem’ to allow access on this computer until the next failure:
  Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
  Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
  After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username. 
  Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
  Most Problematic Computer:
  Event ID 8016:  System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.) 
  Event ID 131:  NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’ 
  ‘No such host is known.”
  Event ID 5719:  NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
  And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
   The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
  Event 1030:  The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
  at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
  On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
  Ipconfig/all from the server:
     Connection-specific DNS Suffix 
     Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
     Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
   10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 234638804
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
     DNS Servers . . . . . . . . . . . : ::1
  127.0.0.1
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Ipconfig/all from the problematic computer:
  Wireless LAN adapter Wi-Fi:
     Connection-specific DNS Suffix 
  . : wp.comcast.net
     Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
     Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
  rred)
     Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
  erred)
     Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
     Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
     Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
  10.1.10.1
     DHCP Server . . . . . . . . . . . : 10.1.10.1
     DHCPv6 IAID . . . . . . . . . . . : 54535618
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
     DNS Servers . . . . . . . . . . . : 2001:558:feed::1
  2001:558:feed::2
                  10.1.10.42
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next.  Could a failing piece of hardware be the culprit? 
  Thanks,
   -JT

  Hi,
  According to the error you have posted.
  A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
  Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
  Netlogon 5719 and the Disappearing Domain [Controller]
  http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
  Did you refer to this KB article?
  Event ID 5719 is logged when you start a Domain Member
  http://support.microsoft.com/kb/938449
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Provision Search in SharePoint Foundation 2013 without Domain Controller / Active Directory - Domain accounts

  Hi,
  I have successfully setup SharePoint Foundation 2013 as single server farm with SQL Server Standard database in a DMZ environment using local accounts since DMZ doesn't have an Active Directory and hence Domain accounts using powershell as described
  in https://theblobfarm.wordpress.com/2012/12/03/installing-sharepoint-2013-without-a-domain-controller 
  When I run Farm configuration wizard to provision search service application, I get an error:
  ERROR: "The service application(s) for the service "Search Service Application" could not be provisioned because of the following error: I/O error occurred."
  The log file logged the details of this error as:
  ERROR: "Failed to create file share Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 at D:\SharePoint Search\Office Server\Analytics_e441aa1c-1a8d-4f0a-a079-58b499eb4c50 (System.ArgumentException: The SDDL string contains an invalid sid or a sid
  that cannot be translated."
  After investigation, I found that potentially the error could be because the timer service is trying to setup a network share for analytics component (as part of provisioning search). It is trying to setup that share with a domain account that happens to
  be a local user instead in this case and fails with error “System.ArgumentException: The SDDL string contains an invalid sid or a sid that cannot be translated”.
  I got some pointer from the below thread
  https://social.technet.microsoft.com/Forums/en-US/c8e93984-f4e5-46da-8e8a-c5c79ea1ff62/error-creating-search-service-application-on-sharepoint-foundation-with-local-account?forum=sharepointadmin
  However, the above thread doesn't state that the solution worked.
  I have tried creating share manually for Analytics_<Guid> folder but it doesn't work since every time farm configuration wizards is run it creates a new Analytics_<Guid> folder.
  Since, I have setup SharePoint Foundation 2013 on a production environment I cannot test and trial various solutions.
  Can some please guide me on how to successfully provision search for SharePoint Foundation 2013 setup as a single server farm with SQL Server Standard database in a DMZ environment using local accounts (without Active Directory - domain accounts).
  Thanks in advance.
  Himanshu

  Microsoft documentation doesn't always specifically call out all products (Project Server isn't there, either). But it does apply. You'll need to stand up at least one Domain Controller, or allow port access back to a DC.
  Preferably, set up SharePoint on the internal network and use a reverse proxy (which will terminate client connections at the reverse proxy) present in the DMZ.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Windows Server 2012 Standard - HP OfficeJet Pro 8600 Plus printer not working after promoting to Domain Controller / AD Services

  An associate and myself installed the built-in drivers for the HP OfficeJet Pro 8600 Plus multi-function (network) printer on a Windows Server 2012 Standard server installation and everything worked fine whenever I want to print anything directly from the
  Windows Server machine (there's a reason for this, so please understand that ;)  ).
  We were able to print without any problems from the Windows Server 2012 machine, using the drivers from Microsoft.  Mainly, because HP has not listed any specific support for Windows Server 2012, only Windows Server 2008 R2, however, the drivers that
  came with Windows 2012 seem to work very well.
  PROBLEM: I later had to promote the Windows Server 2012 to a Domain Controller, and created the Active Directory configurations, even enabled the Print Services.  After doing all of that, the HP printer will not print anything.  It's like all print
  requests directly from the Windows Server go to Nil.
  Has anyone encountered a problem like this before? The only thing I can think of is that after perhaps something affected printing directly once we promoted the server to being a DC, and added other features / roles.  I even tried installing the
  HP drivers for Windows Server 2008 R2, and the results are still the same...nothing prints.  Trust me, the printer is set as the Default Printer and even when choosing to print, we make sure the HP OfficeJet Pro is selected, and is on, as other Windows
  Client PC's can print to it directly.
  Does anyone have any suggestions we could try?  Thanks in advance.

  While it is quite a while since this was posted - I can concur a similar issue exists.
  We have spent the better part of a day trying to work out why other HP printers work fine but our 8620 prints are not printing and going to Nil.  The print server is hosted on a shared DC.  Comparing to the initial posters details, for some reason
  it seems to be most commonly related to the OfficeJet Pro 8600/8610/8620/8630 series printers.
  I ended up doing a print server migration from the domain controller to stand alone host and all printers now work from a single server rather than a mix.  Domain controller OSes varied from 2008, 2012, 2012 R2 (tested with multiple) and only after
  all of those failed then tried a stand alone server os machine as a last resort which worked fine.  Printing directly from Win 7 / 8 /8.1 clients to the IP always worked.